comodo firewall 3.0 is easily killable via the task manager

Discussion in 'other firewalls' started by hany3, Jan 11, 2008.

Thread Status:
Not open for further replies.
  1. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    after several trials, end result :comodo 3.0 is easily killable

    as i don't like the defense++ in comodo 3.0 , and don't like stay on my pc answering alot of questions , also my young brothers don't have more experience to answer such questions , they could allow a malware to run by answering yes to any pop up , so the defence plus don't match my case

    i just want a firewall to monitor the traffic

    and as comodo give me the choice to install the firewall without the hips
    so i did so

    but recently i discovered that comodo with the hips disabled is very easily killable by the task manager

    so that comodo is useless without the defense plus as any weak trojan can easily terminate the firewall process and get access to outside without my permission

    why they give us option to install the firewall without the annoying defense plus , if the firewall in this case will not be able to protect itself from being easily terminated by any malware even the very weak ones

    if they allow the option to install the firewall without the defense plus , they must let the firewall to be able to protect itself without the hips


    for any one that want to be sure that comodo is easily killable
    just disable the defense plus and terminate the cfp.exe process from the task manager
     
    Last edited: Jan 14, 2008
  2. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    I confirmed that on my buddies pc. ~~ snipped off topic comment ~~
     
    Last edited by a moderator: Jan 11, 2008
  3. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Dear Doctor,

    Comodo has 2 running processes.
    1) Cfp.exe which is the graphic interface aka the icon you see on your system tray.
    2)Cmdagent.exe, which is the real firewall driver.

    You can kill cpf.exe, but you can't kill the driver. Try it out. If you kill cpf.exe, the firewall isn't dead. Using custom policy mode, it blocks any new connection (meaning any connection for which there aren't already rules available).
    So , the programs for which you had given permission before killing the graphic interface, will connect. Any new programs, won't. So the trojan won't be able to call home.

    The firewall will protect itself,but not the graphic interface. One of the bonuses of Defence plus, is that you can block the termination of cpf.exe too, from a NON TRUSTED application (such as trojan).

    I would also suggest to read well the help file, as to discover the various operating mods that will make D+ less noisy.

    Kind Regards.
    Fuzzfas
     
  4. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    hii fozfass , thanks for ur valuable reply , and i hoped u r right
    but when i searched in the comodo forum
    i found the same problem " comodo easily killable without defense plus"
    so it seems that it's a know issue in comodo
    http://forums.comodo.com/leak_testingattacksvulnerability_research/comodo_firewall_is_easily_killable-t13985.15.html

    and when i terminated the cfp.exe by the task manager
    new applications that don't have rules before
    accessed the internet without any prompting

    i can suppose that what is happening here , is exceptional
    but is it very difficult for comodo vendor to allow cfp.exe protection without the defense ++ ??
    i think if a trojan just can disable graphical interface and icon of comodo it will be a shame for a powerfull firewall like comodo to be overcomed in such way
    this is if cfp.exe is only concerned with comodo graphics as u said and don't have in rule in the firewall protection processes
    but if it is involved in these processes it will be a fatal mistake
     
  5. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I would not go by what is in the task manager. If you have administrative rights there are all sorts of ways to terminate programs using the right programming techniques.

    If what goes on in the task manager bothers you its possible to go into services.msc, find the service, choose the recovery tab and make settings to restart it. This works with all sorts of things.

    By the way Dr. I have this little problem and need for you to operate...

    In that Comodo post cited above it said that a V 2 "like" operating mode is planned for the future. That would be great.
     
  6. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    @Dr. Samir
    Odd, i tried this yesterday with the latest Comodo. Make sure you have the firewall set to "custom policy" and try again.

    P.S.: Even if the malware does kill cpf.exe, as long as cmd.exe is running, you can always go to start-programs-comodo and click it. The GUI will reappear. Try it at "custom policy". Maybe you had it in the other modes, where the firewall automatically allows access to trusted programs. In my case, no "new" program would connect.
     
    Last edited: Jan 12, 2008
  7. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    True Fuzz and I retract my last statement. I my new lap top I tried all I can do to terminate cmdagent and I cannot.
     
  8. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    Though I never tried it when I was running it, I remember reading this PCMag review:

     
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    You're talking about what happens when you get infected. Wrong.
    You should talk about what happens before you get infected.

    Why should malware try to disable the firewall. There are better methods. Patch the tcpip stack and your firewall will never blink.

    Discussing post-infection mitigation is asking how a removed limb can be reattached to the body when you should make sure you don't cut it off in the first place - as a doctor, you might relate.

    Like medicine, prevention is the key ...

    Mrk
     
  10. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    Dear Friends
    thanks so much for your all precious comments , i appreciate all of them
    after many trials here, i can confess now that disabling the cfp.exe not affecting the main job of the firewall , Despite i share Mr. DIVER in his hope to see a version like opertaing mode in version 3 for those who don't like defense ++ ,i just need a limited component control with traffic monitor
     
    Last edited: Jan 12, 2008
  11. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207

    HI MRKVONIC
    sure i agree with you
    there 's prevention medicine , which aim at decreasing the disease incidence rate
    and therapeutic medicine , which aim at curing diseases that have already occurred

    SO
    the traditional antivirus , antitrojan , antispyware all target at preventing the infection with know malware
    HIPS target at preventing infection with a malware which is not known yet by the antivirus database "zero day attack"

    all the above are like the prevention medecine

    BUT

    a firewall monitiring inbound and outbound connection is supposed to block any trial of the malware "that could escape all the above layers of protection" to connect to outside and not being easily disabled by this malware
    so the firewall in this case will be like the medicines which try to decrease the spread of the disease and all its harmfull effects to the body

    then the antivirus again will play the rule to cure this malware when its code is being downloaded as AV updates to be included in the AV database

    BEST REGARDS
     
  12. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    i'm very disappointed now
    i could easily terminate both processes of comodo through the task manager
    cfp.exe
    Cmdagent.exe

    which means that comodo is liable to complete disable by a malware program , with the defense++ disabled
     
  13. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    How may I ask you did this. I tried over and over and cannot. I have D+ enabled.
     
  14. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    it can be done only if the defense plus is disabled
    or if u installed comodo without defense plus from the begining
     
  15. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Hello Doctor!

    I thought you were wrong, but now i see you are right. My default task manager doesn't kill it, but Window's default does. Shame.
     
    Last edited: Jan 14, 2008
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Has it been reported on their forums?
     
  17. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    yes there is a topic there about this problem
    and i have just made another thread there explaining this problem in details
     
  18. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    Hello Fuzzfas
    thanks for reporting back
    both of us wants comodo to be problem free no matter who's right
    but i really hope that they fix this issue sooner
    best regards
     
  19. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,191

    Not quite. CFP 3.0 failed to resist fake mouse clicks attack, here it is what it says:
    "My wacky attempt to turn off protection using simulated mouse clicks did succeed, but just barely. The little program I wrote can fake a click in any location, but I didn't give it a way to move slider controls. Setting the firewall to Disabled using fake clicks required pixel-perfect accuracy—there's no way a malicious program could automate the process."
     
  20. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    thanks for this explanation
    i red the pcMAG review quickly but i didn't notice these points
     
  21. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    Did you also notice the settings dialogue was open? It would be almost impossible for a malware to open up the settings and move the slider. Plus you would receive alerts the malware was touching comodo
     
  22. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    did u read the full thread and replies?? i doubt
    what is the main subject of the thread ?? comodo 3.0 without defense+ so u will never recieve alert if comodo is touched by a malware

    all facts shown in pcMAG is concerned with comodo with defense+ enabled
    so comodo can not protect against fake clicks with the defense+ active

    if we can easily terminate
    cfp.exe
    Cmdagent.exe
    when defense+ is disabled
    so the fact that its difficult for any malware to terminate comodo without hips is wrong "in fact any weak trojan could do that
     
  23. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,191
    Hi, Hany, I wanted to ask you something.
    If you use only Comodo's basic firewall:please, go see into C:/ProgramFiles/Comodo can you delete all of Comodo's files manually, if yes than this serious vulnerability.
    Because for example Jetico 2.0.1.2 processes can be deleted in task manager, but Jetico2's own files are all self-protected.
    And besides, look at the results in firewallleatester.com, Jetico2 resisted all of the attempts to disable self-protection.
    Here are the criterions:
    http://www.firewallleaktester.com/termination_overview.php

    And here are the results(only the red X means that firewall's self-protection was disabled):
    http://www.firewallleaktester.com/termination.php
     
  24. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Local security is a field of its own. You are mixing internet security and local security. In Windows, as Admin, local security is nil. As a LUA, it is somewhat improved. But nothing can really protect from physical access and tampering. Not even Linux or anything else is safe from local tampering.

    Manually deleting files means nothing. In that regard, why not delete a few system files and render your system unbootable?

    Mrk
     
  25. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: after several trials, end result :comodo 3.0 is easily killable

    This is what was requested. The ability to install the base firewall.

    The request to make this Base install of the firewall was made with thought that the user would have an HIPS installed, so that would make any protection needed.

    I have not looked at if Comodo firewall (just firewall) does protect itself or not, but if it did, it could actually cause problems to other HIPS,.... which is the main reason that the firewall could be installed as basic (without possible conflict to other HIPS).


    Maybe a big red warning sign from Comodo,.. or maybe more attention/thoughts from users on installation?

    I am no big supporter of comodo (or any other firewall/vendor), but I fully support the fact the user is allowed to install the firewall only (regardless is this is not protected from termination ~ use 3rd party HIPS as intended)

    If Comodo if reading. Please leave this possibility, I fully support this. (just some education/need to warn users)
     
Loading...
Thread Status:
Not open for further replies.